state: return_url not behaving as expected

I’m trying to use the state param to redirect the user to a completely different page after logging in. It’s not redirecting as expected.

My JS code for lock is as follows. I’ve also tried this explicitly with the return_url field in state

var lock = new Auth0Lock(AUTH0_CLIENT_ID, AUTH0_DOMAIN, {
    auth: {
        redirectUrl: AUTH0_CALLBACK_URL,
        params: {
            state: ""

What am I doing wrong?

Although you can use the state parameter to send data that will be returned to your client application when you receive the authentication response, you need to also use it as a way to mitigate against CSRF against your redirection endpoint. You can read more about the importance of doing this at: OAuth2 - The State Parameter

In addition, even when you use this parameter correctly to prevent CSRF and also to include data (like your URL) you need to take in consideration that it’s the responsibility of your client application to interpret that additional data. Some libraries perform automatic state validation from the perspective of CSRF mitigation, but if you then have custom behavior attached to a particular value received in the state parameter then you need to do this in your own client application.

Your question did not include any code associated with how it’s trying to react to this and perform an additional redirect based on state parameter so I’m assuming you were expecting this to happen automatically. If that’s the case, that is not true and you should handle that custom behavior in your own logic.